Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook

60 database unsecured tracking wearable fitness records million exposed

mrtroutOver 60 million wearable, fitness tracking records exposed via unsecured database
#1        Over 60 million wearable, fitness tracking records exposed via unsecured database
Data sources included Apple's HealthKit and Fitbit.      By Charlie Osborne for Zero Day | September 13, 2021 -- 16:06 GMT (09:06 PDT) | Topic: Security

An unsecured database containing over 61 million records related to wearable technology and fitness services was left exposed online.        On Monday, WebsitePlanet, together with cybersecurity researcher Jeremiah Fowler, said the database belonged to GetHealth.

Based in New York, GetHealth describes itself as a "unified solution to access health and wellness data from hundreds of wearables, medical devices, and apps." The firm's platform is able to pull health-related data from sources including Fitbit, Misfit Wearables, Microsoft Band, Strava, and Google Fit.

On June 30, 2021, the team discovered a database online that was not password protected.

The researchers said that over 61 million records were contained in the data repository, including vast swathes of user information -- some of which could be considered sensitive -- such as their names, dates of birth, weight, height, gender, and GPS logs, among other datasets.

While sampling a set of approximately 20,000 records to verify the data, the team found that the majority of data sources were from Fitbit and Apple's HealthKit.

"This information was in plain text while there was an ID that appeared to be encrypted," the researchers said. "The geo location was structured as in "America/New_York," "Europe/Dublin" and revealed that users were located all over the world."

"The files also show where data is stored and a blueprint of how the network operates from the backend and was configured," the team added.

References to GetHealth in the 16.71 GB database indicated the company was the potential owner, and once the data had been validated on the day of discovery, Fowler privately notified the company of his findings. GetHealth responded rapidly and the system was secured within a matter of hours. On the same day, the firm's CTO reached out, informed him that the security issue was now resolved, and thanked the researcher.

"It is unclear how long these records were exposed or who else may have had access to the dataset," WebsitePlanet said. "[...] We are not implying any wrongdoing by GetHealth, their customers, or partners. Nor, are we implying that any customer or user data was at risk. We were unable to determine the exact number of affected individuals before the database was restricted from public access."

ZDNet has reached out to GetHealth with additional queries and we will update when we hear back.

Possibly Related Threads…
Thread Author Replies Views Last Post
  38 million records exposed because companies used default configs in Microsoft Power mrtrout 0 107 08-23-2021 , 08:47 PM
Last Post: mrtrout
  Unsecured Database Exposes Personal Data of 35M U.S. Citizens mrtrout 0 107 08-04-2021 , 04:37 AM
Last Post: mrtrout
  Will Google’s Privacy Sandbox take the bite out of tracking cookies? mrtrout 0 399 03-11-2021 , 07:02 AM
Last Post: mrtrout
  Data analytics agency Polecat held to ransom after server exposed 30TB of records Bjyda 0 535 03-02-2021 , 10:26 PM
Last Post: Bjyda
  CNAME-based tracking increasingly used to bypass browsers’ anti-tracking defenses Bjyda 0 340 02-24-2021 , 11:40 PM
Last Post: Bjyda

Forum Jump:

Users browsing this thread: 1 Guest(s)